lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Thu, 26 Oct 2006 23:53:20 +0100
From:	David Howells <dhowells@...hat.com>
To:	Stephen Smalley <sds@...ho.nsa.gov>
Cc:	aviro@...hat.com, linux-kernel@...r.kernel.org,
	selinux@...ho.nsa.gov, chrisw@...s-sol.org, jmorris@...ei.org
Subject: Re: Security issues with local filesystem caching 

Stephen Smalley <sds@...ho.nsa.gov> wrote:

> When the daemon writes the context value (a string) to the cachefiles
> module interface for a given cache, the cachefiles module would do
> something like the following:

This looks reasonable.

> SELinux would then provide selinux_secctx_to_secid() and
> selinux_cache_set_context() implementations; the former would just be call to
> selinux_string_to_sid(),

That sounds fairly easy.

> while the latter would require some new permission check to be defined
> unless we can treat this as equivalent to some existing operation.

So what does this actually check?  I assume it checks that the process's
current context permits the use of the specified secid in this snippet:

	/* Check permission of current to set this context. */
	rc = security_cache_set_context(secid);

> You'll find that there is already a security_secid_to_secctx() hook defined
> for LSM, so the first hook just adds the other direction.

Okay.

> 	cache->secid = secid;

I was wondering if the cache struct should have a "void *security" that the LSM
modules can set, free and assert temporarily, but this sounds like it will do.

> Later, when going to create a file in that cache, the cachefiles module
> would do something like:
> 	/* Save and switch the fs secid for creation. */
> 	fssecid = security_getfssecid();
> 	security_setfssecid(cache->secid);
> 	<create file>
> 	/* Restore the original fs secid. */
> 	security_setfssecid(fssecid);
> SELinux would then provide selinux_getfsecid() and selinux_setfssecid()
> implementations that are just:
> 	u32 selinux_getfssecid(void)
> 	{
> 		struct task_security_struct *tsec = current->security;
> 		return tsec->create_sid;
> 	}
> 	void selinux_setfssecid(u32 secid)
> 	{
> 		struct task_security_struct *tsec = current->security;
> 		tsec->create_sid = secid;
> 	}

That sounds doable.  I presume I should attend to fsuid/fsgid myself, much as
I'm doing now?

David
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ